On their way to convert legitimate traffic into malware-infected hosts using web malware exploitation kits, cybercriminals have been actively experimenting with multiple traffic acquisition techniques over the past couple of years. From malvertising (the process of displaying malicious ads), to compromised high-trafficked web sites, to blackhat SEO (search engine optimization), the tools in their arsenal have been systematically maturing to become today’s sophisticated traffic acquisition platforms delivering millions of unique visits from across the world, to the cybercriminals behind the campaigns.

What are some of the latest campaigns currently circulating in the wild? How are cybercriminals monetizing the hijacked traffic? Are they basically redirecting to the landing page of an affiliate network, earning revenue in the process, or are they serving malicious software to unsuspecting and gullible end and corporate users?

Let’s find out by profiling a currently active blackhat SEO (search engine optimization) campaign at the popular document sharing web site Scribd, currently using double monetization of the anticipated traffic, namely, redirecting users to a dating affiliate network, and serving malware in between.

More details:

Here’s how the campaign works in a nutshell – basically the cybercriminals behind it have registered multiple bogus accounts at Scribd and are using them to populate the site’s search index — including Google’s index — with adult themed search queries. Once they attempts to view the document, they’ll be exposed to a bogus video screen that’s basically an image with an embedded link pointing to a dating affiliate network, and to a malware currently hosted at Comodo Backup’s infrastructure.

Screenshot of the bogus video screen displayed when viewing a sample document used in the campaign:

The URls also include the affiliate network IDs of the cybercriminals. For instance aff=gfeed12 earning revenue for the hijacked traffic once, and aff=94604856 earning revenue based on redirected traffic of actual transaction of newly registered members at the Find and Try dating network.

Screenshot of the dating network Find and Try:

How are the cybercriminals making money through the affiliate network? According to the network’s rules, new participants can earn up to $100 for every 1000 visitors that they send, 75% on initial member fees, plus 50% on all recurring fees.

Screenshot of the affiliate network’s monetization offerings:

The following domains have also been registered with the same email used to register blogultram.com and searchallforfree.com

This isn’t the first time that Scribd has been abused by cybrecriminals monetizing the hijacked traffic through multiple campaign optimization techniques. In 2009, I exposed several scareware (fake security software) serving campaigns that were once again hijacking legitimate traffic using Scribd: